By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

bot on the scene shows the bad guys haven't given up on an older attack vector they successfully plowed through two months ago with worms like Zotob.

According to Finnish antivirus firm F-Secure Corp., Mocbot-A initially appeared to target the "important" Windows Plug and Play vulnerability that Microsoft patched Oct. 11 in its MS05-047 bulletin.

The software giant said attackers could exploit the flaw, which takes advantage of the Windows elements that support hardware hot-swapping, to remotely launch malicious code or gain elevated user privileges. Windows 2000 SP4, XP SP1 and XP SP2 are affected.

But F-Secure researchers determined the bot targets an earlier Plug and Play flaw Microsoft patched Aug. 9 in MS05-039. That flaw has already been attacked by a number of Trojan horses, bots and worms, most notably Zotob.

"After further analysis, it turned out the actual vulnerability [Mocbot targets] is not MS05-047 but the old MS05-039," F-Secure said in its daily lab blog. "The confusion was caused by the exploit code used by Mocbot, which resembles publicly available exploit code for MS05-047. Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms."

Mikko Hypponen, F-Secure's director of AV research, said in an e-mail exchange that it looked as though Mocbot's creators were trying to build a large
botnet. But the command servers seemed to be down and "it's going nowhere at the moment," he said. He added that the activity is coming from Russia.

Mocbot detailsF-Secure said that when Mocbot's file is started, it copies itself to the Windows system folder as "wudpcom.exe" then creates a service with the following attributes:

Service path: wudpcom.exe

Service name: Windows UDP Communication

F-Secure said when the bot is active, it connects to an IRC server, joins a certain channel and acts as a bot there. It uses the following IRC servers: bbjj.househot.com and ypgw.wallloan.com. "The bot [then] joins to a password-protected IRC channel where the hacker can send commands to the bots to control infected computers," F-Secure said.

Mocbot impact?

Though it's proven to be a dud thus far, its appearance raises two questions:

Could Mocbot's creators adjust their tactics and come up with a way to target the newer Plug and Play flaw?

Could the bot go after the original Plug and Play flaw with the same fury as Zotob?

To both questions, Hypponen's answer was maybe, but not likely.

Using Mocbot to fashion an attack on the new flaw could be done, he said, "but it wouldn't be that simple. There is public exploit code against MS05-047, but this code could not be used directly to create a worm." And, he added, "As there's no suitable exploit floating around, we don't expect to see a worm using the [newer] vulnerability just yet."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy